eCryptfs: a Stacked Cryptographic Filesystem

A new cryptographic filesystem in the Linux kernel uses stacking technology.

The media has been delivering a seemingly endless stream of reports of
lost or stolen laptops, backup tapes, hard drives and servers from
government and corporate facilities. These devices often contain
medical, financial and other sensitive data. When the storage devices
fall into the wrong hands, attackers can access the data directly,
completely bypassing the access control mechanisms in place in the
organization's network. Reports indicate that millions of people
already have been affected by such compromises. As a result, customers and
citizens are at an increasing risk of identify fraud and loss of
privacy.

Although the cryptographic technology to protect data confidentiality has
existed for decades, many organizations have failed to integrate this
technology into their processes for handling sensitive data. In cases
where cryptography is included in that process, it is frequently obtrusive,
costly and complicated. Organizations sometimes neglect to establish
data encryption policies, and employees often ignore such policies
once they are in place.

In cases where employees attempt to utilize cryptography, they often
use it ineffectively. For instance, they often select weak keys, and
it is easy to save or transfer data inadvertently in unencrypted form
through insecure media (such as Web e-mail or a USB Flash drive).
Security strategies that depend on individual applications performing
their own encryption often fail when the user copies and pastes
sensitive information to other applications that do not have
cryptographic capability.

Data encryption needs to be made ubiquitous, transparent, flexible,
easily deployable, integrated into the data handling process and, of
course, secure enough to counter sophisticated attacks. These
properties need to be in effect regardless of the particular
applications accessing the data. To make encryption services
application-agnostic, the operating system kernel itself should
provide a system-wide data encryption service for sensitive
information written to secondary storage.

Popular Cryptographic Filesystem Solutions

Several options exist for filesystem encryption under Linux, all
with various advantages and disadvantages. Device mapper crypt
(dm-crypt) ships with the Linux kernel and provides block device layer
encryption. Loop-AES and TrueCrypt, which must be obtained
separately from the official Linux kernel, also provide encryption at
the block device layer. With block device layer encryption, the user
creates the filesystem on the block device, and the encryption layer
transparently encrypts the data before writing it to the actual lower
block device.

The main advantage of block device layer encryption is that it is
simple in concept and implementation. Another advantage of block
device layer encryption is that attackers learn nothing about the
filesystem unless they have the key; for instance, attackers will not
even know the type of filesystem or the directory structure. Sparse
files can be securely and efficiently supported in filesystems on
encrypted block devices.

Block device encryption can have disadvantages that stem from the lack
of integration with the filesystem itself:

A fixed region of storage must be pre-allocated for the entire
filesystem. Resizing the partition later is often an inconvenient
process.

It can be difficult to change encryption keys or ciphers.

There is no flexibility for the block device encryption mechanism to
encrypt different files with different keys or ciphers.

Applications such as incremental backup utilities need access to the
unencrypted data.

All content in the filesystem incurs the overhead of encryption and
decryption, including data that does not require secrecy.

Files must be re-encrypted with a user-space application before they
are transmitted through another medium.

EncFS is a user-space cryptographic filesystem that operates via FUSE.
User-space filesystems are easier to implement than kernel-native
filesystems, and they have the advantage of being able to
utilize user-space libraries easily. This makes it simple to implement
feature-rich filesystems with less time and effort on the part of the
developer. Unlike block device encryption solutions, EncFS operates as
an actual filesystem. EncFS encrypts and decrypts individual
files. Disadvantages of user-space filesystems based on FUSE include
performance overhead from frequent kernel/user-space context switches
and a current lack of support for shared writable memory mappings.

eCryptfs

eCryptfs is a kernel-native stacked cryptographic filesystem for
Linux. Stacked filesystems layer on top of existing mounted
filesystems that are referred to as lower filesystems. eCryptfs is
a stacked filesystem that encrypts and decrypts the files as they are
written to or read from the lower filesystem.

Applications in user space make filesystem system calls that go
through the kernel Virtual Filesystem (VFS). Both eCryptfs and the
lower filesystem (for example, ext3, JFS, NFS and so on) are registered in the
kernel VFS. The operations under the eCryptfs mountpoint first go to
eCryptfs. eCryptfs retrieves key material from the user session
key ring and uses the kernel cryptographic API to perform encryption
and decryption of file contents. eCryptfs may make key management
requests with the user-space eCryptfs dæmon (ecryptfsd). eCryptfs reads and writes encrypted content stored in
files in the lower filesystem (Figure 1).

Figure 1. Application file operations go through eCryptfs.

Application file operations go through eCryptfs, which
communicates with the kernel crypto API, the kernel key ring and the
user-space eCryptfs dæmon to perform encryption and decryption.
eCryptfs manipulates files in lower filesystems, such as JFS or ext3.

eCryptfs aims to provide the flexibility of a Pretty Good Privacy
(PGP) application as a transparent kernel service. For that reason,
the OpenPGP (RFC 2440) specification inspires the basic key handling
techniques in eCryptfs. This includes the common procedure of using a
hierarchy of keys when performing cryptographic operations (Figure
2).

Figure 2. eCryptfs encrypts and decrypts individual data extents.

eCryptfs encrypts and decrypts individual data extents in
each file using a unique randomly generated File Encryption Key (FEK).
The FEK is encrypted with the File Encryption Key Encryption Key
(FEKEK), and the resulting Encrypted File Encryption Key (EFEK) is
stored in the header of each lower file.

The cryptographic metadata is in the header region of the encrypted
lower file. Users can transmit the lower file as is to other
users, and the recipients can access the decrypted contents of the file
through eCryptfs, so long as they have the proper key. This provides a
high degree of flexibility in how the files can be handled while
maintaining strong security.